How to Set Up Falco on Kubernetes: A Guide to Improving Your Container Security

As containerized applications continue to rise in popularity, ensuring their security becomes more and more crucial. With Kubernetes, you have a powerful tool for managing containers, but it doesn’t necessarily provide all the security features you need out of the box. That’s where Falco comes in.

Falco is an open-source container security tool that monitors your Kubernetes cluster in real-time and alerts you of any suspicious activity. In this guide, we’ll walk you through setting up Falco on your Kubernetes cluster and discuss its main benefits.

Install Falco on Your Kubernetes Cluster

There are few methods you can install Falco, details can be found in the official documentation: installation or directly on K8s: deployment. The easiest way to install Falco on your Kubernetes cluster is using Helm. Helm is a package manager for Kubernetes that makes it easy to install and manage applications.

This can be achieved in few steps:

# Add falcosecurity repository
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

# Install the chart
helm install falco falcosecurity/falco --namespace falco --create-namespace

# Verify the installation
kubectl get pods -n falco -o wide

Configure Falco

By default, Falco comes with a set of rules that detect common security issues. However, you may want to customize these rules to fit your specific use case.

To do this, create a YAML file that contains your custom rules. For example:

# custom-rules.yaml

customRules:
  custom-rules.yaml: |-
    - rule: shell_in_container
      desc: notice shell activity within a container
      condition: evt.type = execve and evt.dir = < and container.id != host and (proc.name = bash or proc.name = ksh)    
      output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)    
      priority: WARNING

Then, apply the rules to your Falco installation using helm install:

# uninstall previous version 
helm uninstall falco --namespace falco

# re-install falco with Custom Rules:

helm install falco -f custom-rules.yaml falcosecurity/falco --namespace falco

# or you can actually adjust some settings to your needs, for example
# to enable eBPF probe, and modify output parameters:

helm install falco -f custom-rules.yaml --set ebpf.enabled=true,outputs.rate=.03333,outputs.maxRate=10 falcosecurity/falco --namespace falco

This will actually create configmap called falco-rules, you can view it by running:

kubectl get configmap falco-rules -n falco -o yaml

Depends on Your k8s configuration, I noticed it sometimes help to edit the daemonset (kubectl edit daemonst -n falco falco) and add:

[...]
    spec:
      containers:
      - args:
        [...]
        name: falco
        tty: true   # this line
        [...]

By starting the container as an interactive TTY, you make sure that the logs are flushed in real-time.

View Falco Alerts

Falco alerts are sent to the Kubernetes API server and can be viewed using kubectl logs:

kubectl logs -n falco falco-pod-name

# tricky way to execute the command without checking falco-pod-name:

kubectl logs -n falco $(kubectl get pods -n falco --selector app=falco --output=jsonpath='{.items[*].metadata.name}')

This command will display all Falco alerts in your Kubernetes cluster. You can also filter the alerts by severity or other criteria.

Benefits of Using Falco

Now that you’ve set up Falco on your Kubernetes cluster, let’s take a look at some of the main benefits of using this container security tool:

Real-Time Monitoring

Falco monitors your Kubernetes cluster in real-time, which means you can quickly detect any suspicious activity as soon as it happens.

Customizable Rules

Falco comes with a set of default rules, but you can also create your own custom rules to detect specific security issues.

Kubernetes Native

Falco is designed specifically for Kubernetes, which means it integrates seamlessly with your Kubernetes cluster and provides a streamlined user experience.

Open-Source and Free

One major benefit of Falco is that it is open-source and free to use, making it accessible to a wide range of organizations and individuals. As an open-source project, Falco benefits from the contributions of a large community of developers and users, who can help to identify and address bugs and security vulnerabilities.

Conclusion

In this article, I’ve explored the benefits of using Falco for runtime security monitoring in Kubernetes, as well as the steps to set it up on your cluster using a Helm chart. With Falco, you can gain visibility into the security of your Kubernetes environment, detect and alert on suspicious activity, and protect your applications and data from potential threats.

Leave a Reply

Your email address will not be published. Required fields are marked *